5
9/11/2012Pomcor 5 1. Public Key Cryptography without Certificates Mobile device  application (back-end): Database handle of a device record that contains the hash of public key and refers to user record Public key Proof of knowledge of private key Application  directory Database handle of device record Hash of public key Directory  application User identifier(s) and/or attribute(s)

7
9/11/2012Pomcor 7 2. Key Pair Regeneration as an Alternative to Tamper Resistance PIV card stores credentials in tamper-resistant storage But mobile devices do not have tamper-resistant storage  Encrypt private key under key derived from PIN? That would allow offline attack against PIN Instead we propose to regenerate the key pair from the PIN (or from a biometric key)  All PINs produce well-formed key pairs, so PINs cannot be tested and offline attack is not possible

8
9/11/2012Pomcor 8 RSA Key Pair Regeneration from a PIN Idea Store p, q in device, but not e or d Generate d as a randomized hash of the PIN, of same length as the modulus Compute e such that 1 < e < φ and ed  1 (mod φ) Problem: what if gcd(d,φ)  1? Solution: Remove from d all prime factors r < 100 shared with φ. During initial key generation, if d has prime factors r ’ > 100 shared with φ, we start over with different p and q (probability: 0.2%)

9
9/11/2012Pomcor 9 Non-problem: Retaining p and q does not reduce security (they could be computed from the key pair) Non-problem: d not vulnerable to small-decryption-exponent attacks RSA Key Pair Regeneration from a PIN (Continued)

12
9/11/2012Pomcor Encapsulation of Cryptographic and Biometric Processing Application outsources cryptographic and biometric complexities to a Prover Black Box (PBB) and a Verifier Black Box (VBB) PBB is in mobile device VBB online, trusted by application Could be implemented as a generic server appliance Many possible configurations In some configurations, outsourcing protocol uses “ native URLs ” (available in iOS and Android) for interapp communications within the device

23
9/11/2012Pomcor 23 Many Possible Configurations App May have native front-end (as shown), or May be accessed through a web browser PBB One credential for multiple apps Different credentials for different apps May be embedded in application front-end Browser plug-in  works on desktops and laptops VBB May be a generic server appliance May be app- or enterprise-specific, and access the directory Multiple security domains

29
9/11/2012Pomcor 29 Beyond Derived Credentials Password elimination on the Web at large without sacrificing privacy Social login without passwords Effective data protection for locked phones

30
9/11/2012Pomcor 30 Eliminating Passwords without Sacrificing Privacy Authentication by userid-password provides anonymity, unlinkability and unobservability Alternatives being proposed (OpenID, SAML, etc.) redirect to a third party Third party identifies user  no anonymity Authentication to different relying parties can be linked via the third party identifier Third party observes the transaction Our techniques eliminate passwords and preserves privacy (anonymity, unlinkability and unobservability) because they do not involve a third party

32
9/11/2012Pomcor 32 Data Protection Problem Data protection in iPhone locked by a PIN Data encrypted by key hierarchy including a key derived from PIN and a “ hardware key ” that cannot be extracted from the silicon by a casual user PIN protected against offline attack by hardware key But: Vulnerabilities  hardware key used for offline attack using the phone ’ s own processor; exhaustive attack on 4-digit PIN takes 40 min Hardware key could be extracted by probing the silicon

33
9/11/2012Pomcor 33 Data Protection Solution Encrypt data under symmetric key Store symmetric key in online server, or split it over several servers using Shamir ’ s k-of-n secret sharing technique Retrieve key over secure connection(s), authenticating with a key pair regenerated from a PIN and/or a biometric, so that tampering with phone does not help attacker

34
9/11/2012Pomcor 34 Risks of Mobile Applications? Mobile computing architecture potentially more secure Apps are sandboxed But vulnerabilities allow rooting Routinely used for jailbreaking and by forensic tools GMU, NIST, NSA working on hardened Android kernel Hardening should include interapp communications Our data protection technique … Protects data against exploitation of vulnerabilities after seizing device But malware running while legitimate user is using the device could capture PIN or biometric data